[ 3.8.y.z extended stable ] Patch "xhci: fix list access before init" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Jun 7 20:29:21 UTC 2013 

This is a note to let you know that I have just added a patch titled

    xhci: fix list access before init

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.3.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 9deae670bc2beb5ffd7f9913622cd7a7f962e568 Mon Sep 17 00:00:00 2001
From: Vladimir Murzin <murzin.v at gmail.com>
Date: Tue, 9 Apr 2013 22:33:31 +0400
Subject: xhci: fix list access before init

commit 88696ae432ce7321540ac53d9caab3de9118b094 upstream.

If for whatever reason we fall into fail path in xhci_mem_init()
before bw table gets initialized we may access the uninitialized lists
in xhci_mem_cleanup().

Check for bw table before traversing lists in cleanup routine.

This patch should be backported to kernels as old as 3.2, that contain
the commit 839c817ce67178ca3c7c7ad534c571bba1e69ebe "xhci: Store
information about roothubs and TTs."

Reported-by: Sergey Dyasly <dserrg at gmail.com>
Tested-by: Sergey Dyasly <dserrg at gmail.com>
Signed-off-by: Vladimir Murzin <murzin.v at gmail.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp at linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/usb/host/xhci-mem.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 59c08b2..0618f25 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1847,6 +1847,9 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
 	}
 	spin_unlock_irqrestore(&xhci->lock, flags);

+	if (!xhci->rh_bw)
+		goto no_bw;
+
 	num_ports = HCS_MAX_PORTS(xhci->hcs_params1);
 	for (i = 0; i < num_ports; i++) {
 		struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table;
@@ -1865,6 +1868,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
 		}
 	}

+no_bw:
 	xhci->num_usb2_ports = 0;
 	xhci->num_usb3_ports = 0;
 	xhci->num_active_eps = 0;
--
1.8.1.2

More information about the kernel-team mailing list